6

I can see clearly how discretionary access control (DAC) works by checking the properties of a file on my MSWindows machine, the file has attributes and the owner of the file can do almost anything with it like making it available for everyone to read, transfer the ownership to an other user or even delete it

However I cant find any visible example that I can actually see in a GUI that might help me to understand how mandatory access control (MAC) works? can I create a file under MAC? How does the file get its attributes? and how is it possible that I don't own it?

Ulkoma
  • 8,773
  • 17
  • 68
  • 96

1 Answers1

12

There are a couple of places that you can see Mandatory Access Control (MAC) systems in operation in consumer OSs, that spring to mind.

SELinux is installed on a number of linux distributions and can be set in enforcing mode which would show an example.

Also windows Mandatory Integrity Levels are another example.

Seeing an example of this could be done by getting a Windows 8 machine and trying to modify files within a windows 8 store programs installation directory (under the hidden directory c:\program files\windowsapps). Even as an administrative user you will be prevented from changing these files via standard OS tools even after you have "taken ownership" of the file, which in a DAC system would usually allow you to modify it..

Rory McCune
  • 62,266
  • 14
  • 146
  • 222
  • I don't find the "ownership" reason justified in parlance with MAC. Does MAC mean "privilege" on Windows? "Take Ownership" is a privilege, which can be assigned to users also. Where MAC is coming into picture? – Ajay Dec 18 '15 at 17:36